Lesson 3: Securing Data Flow Through a DMZ

Firewalls can regulate which protocols are allowed to enter and exit the DMZ. By configuring the firewall to allow only the authorized protocols to connect to each server in the DMZ, you can prevent hackers from attaching to the servers using alternative protocols.

Determining a Firewall Strategy

When configuring a firewall, decide between the following basic firewall strategies based on your desired security level:

Specify allowed protocols and prohibit everything else. In this strategy the packet filters identify all protocols that are allowed to pass through the firewall. If a packet arrives that isn't identified by the packet filter listing, the packet is assumed to be disallowed and is dropped. This strategy is typically used at external firewalls to define which protocols are allowed to enter the DMZ and the private network and in high-security networks where only authorized protocols are allowed to enter the DMZ and the private network.

Specify prohibited protocols and allow everything else. In this strategy the packet filters identify all protocols that must be dropped at the firewall. If a packet arrives that isn't identified by the packet filter listing, the packet is allowed to pass through the firewall. This strategy is often used at an internal firewall to block private network users from specific protocols or in lower security networks where only unauthorized protocols are blocked at the firewall.

What About the Order of the Packet Filters?

The order in which packet filters are processed depends on the specific firewall product. Firewalls typically process the packet filters using one of two common methods.

The first method is to process the packet filters in the order in which they're entered. In other words, the packet filters are processed from the top to the bottom of the packet filter list. If your firewall uses this strategy, ensure that the most important packet filters are placed at the top of the list. For example, place a packet filter that restricts access to the Web server using HTTP and HTTPS above a rule that denies access to any servers in the DMZ.

The second method is to process the most specific packet filters before the more general packet filters. In other words, a packet filter that restricts access to a specific server will be processed before a packet filter that defines traffic between network segments. For example, a packet filter that allows the DNS server in the DMZ to connect to a DNS server at an ISP will be processed before a packet filter that allows any computer on the public network to connect to the DNS server.

Making the Decision

Table 14.13 outlines the factors you need to consider when deciding between the common firewall strategies.

Table 14.13Choosing Between Firewall Strategies

Use This Strategy

In These Circumstances

Specify allowed protocols and prohibit everything else.

Your strategy defines exactly which protocols are allowed to enter the DMZ

You're defining packet filters for an external firewall

Specify prohibited protocols and allow everything else.

You must prevent specific protocols, such as Finger, from entering or exiting the network

You're defining packet filters for an internal firewall

These aren't the only strategies. Nothing prevents you from using "Specify allowed protocols and prohibit everything else" and creating packet filters that deny specific protocols. This is commonly done to log attempts to use the prohibited protocols since you can log an event only if a packet filter is matched.

Applying the Decision

For Market Florist, the "Specify allowed protocols and prohibit everything else" firewall strategy best meets the security needs of the network. This strategy enables Market Florist to define only authorized protocols that can enter the DMZ and the private network. If a protocol isn't included in the packet filter list, the protocol is assumed to be denied access to the DMZ or private network.

Securing DNS Resolution Traffic

The DNS service is used as a locator service in a Windows 2000 network. In addition, DNS is also used as the locator service for the Internet. When designing security for the DNS service, define how DNS traffic will move through your private network and through the DMZ to the Internet.

The key to securing DNS is separating the internal DNS service from the external DNS service. This allows separation of the internal DNS namespace from the external DNS namespace so that private network IP addressing schemes aren't exposed to the Internet.

Figure 14.12 shows a typical DNS deployment that's used when both internal and external DNS services are deployed in a network.

Figure 14.12DNS traffic flow in a DMZ

In this configuration the internal firewall is configured to allow only DNS packets from the internal DNS server to be sent to the external DNS server in the DMZ through a DNS forwarder. This configuration limits internal DNS clients to connecting to the internal DNS server. The internal firewall prevents the internal DNS clients from connecting to any other external DNS server.

Based on the IP address information shown in the figure, Table 14.14 lists the packet filters that you must apply at the internal firewall to restrict DNS traffic between the two DNS servers.

Table 14.14Internal Firewall Rules to Restrict DNS Usage

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

DNS

10.20.30.40

Any

10.30.30.40

53

TCP

Allow

DNS

10.20.30.40

Any

10.30.30.40

53

UDP

Allow

DNS

10.20.30.0/24

Any

10.30.30.40

53

TCP

Deny

DNS

10.20.30.0/24

Any

10.30.30.40

53

UDP

Deny

The first two packet filters allow the internal DNS server (10.20.30.40) to connect to the external DNS server (10.30.30.40) using either UDP-based or TCP-based DNS connections. The last two packet filters deny all other clients on the 10.20.30.0/24 network from connecting to any DNS servers beyond the firewall using UDP-based or TCP-based DNS queries.

NOTE

All firewall rules in this lesson assume that the firewalls support packet filter mirroring. As discussed in Lesson 1, packet filter mirroring allows response packets to be passed successfully through the firewall.

At the external firewall, create additional packet filters to allow external client computers to connect only to the DNS server using the DNS protocol. All other requests sent to the DNS server should be prevented (unless the DNS server is hosting other authorized services).

Table 14.15 lists the packet filters that you must establish at the external firewall to allow public network users to query the DNS server located in the DMZ and to allow the external DNS server to forward DNS requests to other DNS servers on the Internet.

Table 14.15 Internal Firewall Rules to Restrict DNS Usage

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

DNS

Any

Any

10.30.30.40

53

TCP

Allow

DNS

Any

Any

10.30.30.40

53

UDP

Allow

DNS

10.30.30.40

Any

Any

53

TCP

Allow

DNS

10.30.30.40

Any

Any

53

UDP

Allow

The first two packet filters allow any computers on the Internet to connect to the external DNS server (10.30.30.40) using either TCP-based or UDP-based DNS requests. The last two packet filters allow the external DNS server to forward DNS queries to any DNS server on the Internet.

NOTE

Packet filters will always refer to the true IP address of the server, not the advertised address on the Internet. Static address mapping converts the destination address before the packet filter is applied to determine if the data is allowed to reach the destination server.

Making the Decision

When configuring a firewall to allow DNS traffic, include the following items in your security design:

Establish packet filters at the external firewall to allow only TCP port 53 and UDP port 53 packets to reach the DNS server.

Establish packet filters at the internal firewall to allow only the internal DNS server to send TCP port 53 and UDP port 53 packets to the external DNS.

Configure the internal DNS server to forward all irresolvable DNS queries to the external DNS server. In the same way, configure the external DNS server to forward irresolvable DNS queries to the ISP's DNS server. This strategy focuses DNS resolution traffic to specific hosts and makes it easier to define packet filters.

Applying the Decision

Market Florist must configure the internal DNS server to forward irresolvable DNS requests to the external DNS server in the DMZ. Because there's only a single firewall, the firewall rules are included in a single packet filter listing. Table 14.16 shows the packet filters necessary to restrict DNS traffic for Market Florist.

Table 14.16DNS Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

DNS

10.10.10.3

Any

192.168.77.254

53

TCP

Allow

DNS

10.10.10.3

Any

192.168.77.254

53

UDP

Allow

DNS

10.10.10.0/24

Any

Any

53

TCP

Deny

DNS

10.10.10.0/24

Any

Any

53

UDP

Deny

DNS

Any

Any

192.168.77.254

53

TCP

Allow

DNS

Any

Any

192.168.77.254

53

UDP

Allow

DNS

192.168.77.254

Any

131.107.199.56

53

TCP

Allow

DNS

192.168.77.254

Any

131.107.199.56

53

UDP

Allow

The first two packet filters allow the internal DNS server (10.10.10.3) to forward DNS queries to the external DNS server (192.168.77.254). The third and fourth packet filters prevent any other internal network clients (10.10.10.0/24) from querying DNS servers beyond the internal firewall. The fifth and sixth packet filters allow any DNS clients on the Internet to query the external DNS server. And the final two packet filters allow the external DNS server to forward DNS queries to the ISP's DNS server (131.107.199.56).

NOTE

The rules that deny access to hosts on the 10.10.10.0/24 network prevent private network client computers from connecting to Internet-based DNS services and bypassing the internal DNS server. These rules force private network client computers to use the internal DNS server.

Securing Web Traffic

A Web server is one of the most common network resources made available for Internet access. A Web server listens for connections from external client computers on TCP port 80 for HTTP connections and on TCP port 443 for HTTPS connections.

Figure 14.13 depicts a Web server located in a DMZ that allows internal and external access to the Web server.

Figure 14.13Web server placement in a DMZ

Configure access to the Web server in the DMZ at both the internal and external firewalls to ensure that only authorized protocols are allowed to connect.

At the external firewall, establish packet filters that limit connections to the Web server to the HTTP and HTTPS protocols. Table 14.17 lists the required packet filters for Figure 14.13.

Table 14.17External Packet Filters for a Web Server

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

HTTP

Any

Any

10.30.30.41

80

TCP

Allow

HTTPS

Any

Any

10.30.30.41

443

TCP

Allow

The first packet filter allows Internet users to connect to the Web server (10.30.30.41) using HTTP, and the second packet filter allows Internet users to connect to the Web server using HTTPS.

NOTE

Establishing packet filters at the internal firewall to restrict access to the Web server from the private network is optional. The packet filters are required only if connections to the Web server must be limited to HTTP and HTTPS connections.

Making the Decision

When configuring a firewall to allow Web server traffic, include the following items in your security design:

Establish packet filters at the external firewall to only allow TCP port 80 and TCP port 443 packets to reach the Web server.

Implement SSL protection for any Web pages that require input of sensitive data from external users.

When authentication is required to a Web site, use either Windows Integrated Authentication or Basic Authentication with SSL encryption to protect credentials from interception.

Applying the Decision

Market Florist must ensure that the customer registration portion of the ww.marketflorist.tld Web site is protected by SSL encryption to ensure that credit card information isn't intercepted. In addition, Market Florist must establish packet filters to restrict external access to the Web server. Table 14.18 lists the required packet filters.

Table 14.18Web Server Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

HTTP

Any

Any

192.168.77.2

80

TCP

Allow

HTTPS

Any

Any

192.168.77.2

443

TCP

Allow

These two packet filters enable Internet users to connect to the Market Florist Web server (192.168.77.2) using only HTTP and HTTPS protocols.

NOTE

The firewall rules have to be established only for the NLBS Web server cluster IP address. Once the packets reach the Web cluster, the NLBS service determines which node receives the packets.

Securing FTP Traffic

FTP allows data to be transferred to and from a central location. When designing packet filters for FTP connections, it's helpful to understand how FTP transmissions work.

FTP uses two separate channels for FTP sessions. FTP uses a control stream (a connection to TCP port 21) to send FTP commands from the FTP client software to the FTP server and a data stream (a connection to TCP port 20) for transferring data. The two channels are used to allow a data transmission to be interrupted through the control stream.

Some FTP clients, known as passive FTP clients, require the FTP server to initiate the data transfer. You must establish packet filters that allow the FTP server to initiate FTP data sessions.

To restrict FTP connections from the Internet, you typically place the FTP server in a DMZ, as shown in Figure 14.14.

Figure 14.14Providing FTP access in a DMZ

Table 14.19 shows the packet filters that you need to establish at the external firewall to allow access to the FTP server in the DMZ.

Table 14.19FTP Server Packet Filters

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

FTP Data

Any

Any

192.168.77.7

20

TCP

Allow

FTP

Any

Any

192.168.77.7

21

TCP

Allow

FTP Data

192.168.77.7

20

Any

Any

TCP

Allow

FTP

192.168.77.7

21

Any

Any

TCP

Allow

The first two packet filters allow any Internet users to connect to the FTP server (192.168.77.7) for FTP connections. The last two packet filters enable the FTP server to establish connections to passive FTP clients.

NOTE

The packet filters listed in Table 14.19 assume that passive FTP clients exist on the network. The last two packet filters allow data transfers initiated by the FTP server to pass through the external firewall. If the FTP clients were nonpassive, you could remove the last two filters from the packet filter listing.

Making the Decision

When configuring a firewall to allow access to an FTP server, include the following items in your security design:

Establish packet filters at the external firewall to allow only TCP port 20 and TCP port 21 packets to reach the FTP server.

If passive FTP clients exist, or if you aren't sure they exist, establish reverse packet filters that originate at the FTP server for TCP port 20 and TCP port 21.

To provide maximum password security, allow only anonymous access to the FTP server. FTP uses plaintext authentication and is subject to password interception.

Applying the Decision

Market Florist must allow external client computers to only use the FTP proto-col to connect to the MFFTP server in the DMZ. To accomplish this, apply the packet filters shown in Table 14.20 at the external firewall.

Table 14.20FTP Server Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

FTP Data

Any

Any

192.168.77.7

20

TCP

Allow

FTP

Any

Any

192.168.77.7

21

TCP

Allow

FTP Data

192.168.77.7

20

Any

Any

TCP

Allow

FTP

192.168.77.7

21

Any

Any

TCP

Allow

The first two packet filters allow Internet users to connect to the MFFTP server (192.168.77.7) using FTP sessions. The last two packet filters allow the MFFTP server to initiate data transfers with passive FTP clients.

Configure the FTP server to accept only anonymous connections. The FTP server is used to download floral arrangement brochures and authenticated access isn't required. Anonymous access ensures that credentials can't be intercepted. John and Pat will use Telnet from the private network to manage the data in the Ftproot folder.

NOTE

To allow Telnet access from the private network, the internal firewall must either allow all access or restrict access to TCP port 23 on the MFFTP server.

Securing Mail Traffic

Many organizations use e-mail to communicate within the organization and with other organizations. Ensure that mail servers are secured against attacks by allowing only authorized protocols to connect to the mail server.

Carefully plan mail access for an organization so that e-mail doesn't cause security problems. Typically, a mail server must support several protocols for e-mail access. Common protocols supported by mail servers include

Post Office Protocol v3 (POP3). Used by e-mail users to retrieve their messages from the mail server. POP3 introduces a security risk because authentication is performed using plaintext.

Internet Mail Access Protocol v4 (IMAPv4). Used by newer e-mail client software to retrieve messages from the mail server. IMAPv4 gives access to all folders on the mail server, not just the Inbox. Like POP3, IMAPv4 uses plaintext authentication.

Simple Message Transfer Protocol (SMTP). Used by e-mail client software to send messages to other e-mail recipients. SMTP is subject to spamming attacks where unsolicited messages are relayed using an unprotected e-mail server.

NOTE

You can prevent SMTP relaying on a server so that only e-mail messages destined to a mailbox hosted on the mail server can be received. Alternatively, you can place restrictions to allow only SMTP relaying to authenticated users or to specific IP addresses or network IP addresses.

Lightweight Directory Access Protocol (LDAP). Used by e-mail client software as a directory for the e-mail server. LDAP provides the ability to find e-mail addresses on a mail server. LDAP uses plaintext authentication by default.

IMPORTANT

You can protect POP3, IMAPv4, and LDAP by implementing SSL. The protocols will use SSL encryption to protect user account and password verification during the authentication process.

Table 14.21 lists the packet filters that you must establish at the external firewall to allow access to the mail server in the DMZ by external client computers.

Table 14.21Mail Server Packet Filters

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

POP3

Any

Any

10.30.30.43

110

TCP

Allow

POP3-SSL

Any

Any

10.30.30.43

995

TCP

Allow

IMAP4

Any

Any

10.30.30.43

143

TCP

Allow

IMAP4-SSL

Any

Any

10.30.30.43

993

TCP

Allow

LDAP

Any

Any

10.30.30.43

389

TCP

Allow

LDAP-SSL

Any

Any

10.30.30.43

636

TCP

Allow

SMTP

Any

Any

10.30.30.43

25

TCP

Allow

SMTP

10.30.30.43

Any

Any

25

TCP

Allow

The first two packet filters allow POP3 clients and POP3 clients using SSL to connect to the mail server (10.30.30.43). The third and fourth packet filters allow IMAP4 clients and IMAP4 clients suing SSL to connect to the mail server. The fifth and sixth packet filters allow LDAP clients and LDAP clients using SSL to connect to the mail server. The seventh packet filter allows the mail server to accept SMTP messages from the Internet, and the final packet filter allows the mail server to send SMTP messages to any SMTP servers on the Internet.

NOTE

Some mail servers, such as Exchange Server 5.5 and Exchange 2000 Server, support HTTP-based access to user mailboxes. To support HTTP-based access, you can add additional packet filters to allow HTTPS to access the mail server.

Making the Decision

When configuring a firewall to allow access to a mail server, include the following items in your security design:

Determine which protocols will be allowed to access the mail server from the public network. In many cases the only protocol allowed to connect to the mail server from the public network is SMTP. The organization can't allow e-mail to be retrieved from the public network.

Establish restrictions on SMTP relaying to prevent the mail server from becoming a source for unsolicited bulk e-mail.

Restrict which protocols can be used to connect to the mail server from the private network. Strategies include

Restrict access to specific protocols, such as allowing only POP3 and SMTP protocol access.

Restrict access to specific servers. Use this strategy if the organization has multiple mail servers and the mail server in the DMZ only acts as a gateway to the other e-mail system.

Allow private network client computers to connect using any protocol, provided they're located on the private network.

Applying the Decision

Market Florist must restrict which protocols can connect to the mail server in the DMZ. According to the scenario, only POP3 and SMTP will be used to connect to the mail server from the public network. To allow only these protocols, create the packet filters in Table 14.22 at the external firewall.

Table 14.22Mail Server Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

POP3

Any

Any

192.168.77.8

110

TCP

Allow

POP3-ssl

Any

Any

192.168.77.8

995

TCP

Allow

SMTP

Any

Any

192.168.77.8

25

TCP

Allow

SMTP

192.168.77.8

Any

Any

25

TCP

Allow

The first two packet filters allow e-mail clients to retrieve mail from the MFMAIL server by using POP3 or POP3-ssl clients. The third packet filter allows the MFMAIL server to receive SMTP messages from the Internet. And the final packet filter allows the MFMAIL server to send SMTP messages to any mail server on the Internet.

In addition, configure the mail server to allow only SMTP relaying if the user authenticates with the MFMAIL server before the e-mail client attempts the SMTP relay action. Because the remote sales force will be connecting from unknown IP addresses, you can't establish restrictions using network IP addresses.

Securing Application Traffic

Servers in the DMZ are often required to store or access data from an application server, such as an SQL server, in the private network. You can protect the transfer of data by configuring the internal firewall to allow only specific protocols to pass between the server in the DMZ and the application server in the private network.

It's too risky to place the application server in the DMZ because data stored on the application server might be compromised. When you make use of the internal firewall's packet filtering abilities, only authorized connections between the server in the DMZ and the application server in the private network can take place.

You can manage the connection between the two servers by using one of three methods:

Attach the server in the DMZ directly to the computer on the private network using a crossover cable and a protocol other than TCP/IP. This strategy works only when the two servers are near each other. But it offers little control over what data can be transmitted between the two servers.

Open the firewall to allow the native protocol to transfer between the server in the DMZ and the application server in the private network, as shown in Figure 14.16. The risk with this configuration is that the data transmitted between the two servers may be passed in plaintext and allow confidential data to be inspected by a network sniffer. Network sniffers are able to view the contents of any unencrypted data packets transmitted on the network.

Figure 14.16Securing access to an SQL server on the private network

Use IPSec to encrypt the data transmitted between the server in the DMZ and the application server in the private network. As long as the internal firewall isn't performing NAT on the transmitted data, you can use IPSec to encrypt all data transmitted between the two servers. For example, if the application server is an SQL server, the connection to the server would be TCP port 1433. All data sent to that port on the SQL server could be encrypted as shown in Figure 14.17.

Figure 14.17Securing access to an SQL server on the private network by using IPSec

NOTE

IPSec encryption prevents the firewall from inspecting the actual protocol that's being transmitted through the firewall. Be sure to set up your rules so that only server-to-server connections are allowed to pass using IPSec. This prevents other servers from establishing IPSec agreements and attempting to pass through the firewall.

Once you've identified the participating servers and the necessary protocols, define the packet filters necessary to allow communications to take place. Table 14.23 lists the packet filter required to write data to an SQL server using TCP/IP socket connections from a Web server in the DMZ as shown in Figure 14.16.

Table 14.23SQL Server Packet Filters for the Internal Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

SQL Data

10.30.30.41

Any

10.20.30.50

1433

TCP

Allow

The packet filter permits the Web server (10.30.30.41) to connect to the SQL server (10.20.30.50) using only an SQL data connection. No other computers in the DMZ are allowed to connect to the SQL server. Also, the Web server can't use any other protocols to connect to the SQL server.

In this case the external firewall would use the same filters defined in Table 14.15. Public network clients are only allowed to connect to the Web server. The public network clients don't query the SQL server on the private network. It's the Web server that actually performs the query on behalf of the external customer. For the transaction to occur, the external customer only needs to connect to the Web server using HTTP or HTTPS.

If the connection between the Web server and the SQL server uses IPSec to encrypt all transmitted data, set up the packet filters at the internal firewall to allow both Internet Key Exchange (IKE) packets and IPSec ESP packets to pass, as shown in Table 14.24.

Table 14.24IPSec Packet Filters for the Internal Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

IKE

10.30.30.41

500

10.20.30.50

500

UDP

Allow

ESP

10.30.30.41

10.20.30.50

ID 50

Allow

The first packet filter allows the Web server (10.30.30.41) to negotiate an IPSec SA with the SQL server (10.20.30.50). The second packet filter assumes that only ESP will be used to protect the IPSec packets and enables any packets encrypted with ESP (protocol ID 50) sent between the Web server and the SQL server to pass through the firewall.

Making the Decision

When configuring a firewall to allow access to an application server on the private network, configure the firewall rules to match how data transmissions take place. Your design should include the following:

Determine which protocols are required to access the server-based component in the DMZ. In many cases the server-based component will be a Web-based application running on a Web server.

Configure the external firewall to allow only public network client computers to connect to the server in the DMZ using the protocols required for the server-based component.

Determine which protocols the server-based component uses to connect to the application server in the private network.

Determine the securest method to connect the server in the DMZ to the application server in the private network. Be sure to include a strategy to prevent inspection of data in the DMZ.

Define the necessary packet filters at the internal firewall to allow only the required protocols to exchange data between the DMZ and the private network.

Applying the Decision

Market Florist must allow customers to connect to the SQL server on the private network using both a Web interface for customer registration and the Flower Power application to store order information. Because the customer registration information requires transmission security, all data transmitted between the Web server (MFWEB) and the SQL server (MFSQL) must be encrypted using IPSec transport mode, as shown in Table 14.25.

Table 14.25Flower Power Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

HTTP

Any

Any

192.168.77.2

80

TCP

Allow

HTTPS

Any

Any

192.168.77.2

443

TCP

Allow

Flower Power

Any

Any

192.168.77.2

6834

UDP

Allow

IKE

192.168.77.3

500

10.10.10.20

500

UDP

Allow

IKE

192.168.77.4

500

10.10.10.20

500

UDP

Allow

IKE

192.168.77.5

500

10.10.10.20

500

UDP

Allow

IKE

192.168.77.6

500

10.10.10.20

500

UDP

Allow

ESP

192.168.77.3

10.10.10.20

ID 50

Allow

ESP

192.168.77.4

10.10.10.20

ID 50

Allow

ESP

192.168.77.5

10.10.10.20

ID 50

Allow

ESP

192.168.77.6

10.10.10.20

ID 50

Allow

The first two packet filters allow public network users to connect to the MFWEB server (192.168.77.2) using either HTTP or HTTPS. The third packet filter allows public network users to connect to the Flower Power server-side application listening on UDP port 6834 on the MFWEB server. The next four packet filters allow IPSec SAs to be negotiated between each component server in the NLBS Web cluster and the MFSQL server (10.10.10.20). You must establish separate packet filters for each Web server in the NLBS cluster because IPSec SAs are established between two computers, not between a computer and an NLBS cluster. The last four packet filters allow each component server in the NLBS cluster to send ESP-encrypted SQL-data packets to the MFSQL server.

WARNING

The last eight packet filters allow the MFSQL and MFWEB server to transmit data in any protocol between the two servers. As long as the IPSec SA doesn't use Authentication Headers (AH), the firewall will allow the packets to pass. To prevent unauthorized protocols, you must inspect IPSec packet filters regularly at each server to ensure that they encrypt only authorized protocols.

Securing Terminal Server Traffic

Terminal Services allows an administrator to connect to servers on the network by using Remote Desktop Protocol (RDP). You can restrict Terminal Services to be used for administrative purposes only by configuring Terminal Services to run in Remote Administration mode rather than Application Services mode.

To restrict access to a terminal server, configure the external firewall to allow only RDP connections to the terminal server. As shown in Figure 14.18, configure the external firewall to allow only connections using RDP to pass through to the terminal server.

Figure 14.18Securing access to a terminal server in the DMZ

Configure the terminal server to require strong encryption of the connection. If the Windows 2000 High Encryption Pack is installed at both the Terminal Services client computer and the server running Terminal Services, 128-bit RC4 encryption is used to protect transmitted data. If either the client or the server doesn't have the High Encryption Pack, 40-bit or 56-bit encryption is used.

To allow the RDP to pass through the external firewall, you must define the packet filter in Table 14.26.

Table 14.26Terminal Services Packet Filters

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

RDP

Any

Any

10.30.30.44

3389

TCP

Allow

This packet filter allows any computer to connect to the terminal server (10.30.30.44) with the RDP protocol. Any attempts to connect to the terminal server with other protocols are denied.

Making the Decision

When configuring a firewall to allow access to a terminal server located in the DMZ, consider the following design points:

Configure the firewall to allow only connections to TCP port 3389, the RDP protocol, to pass through the firewall.

Configure the terminal server to use the highest level of encryption supported by the client computers, subject to local import and export laws.

If you only require administrative access to the terminal server, configure the terminal server to user Remote Administration mode. This action prevents nonadministrative users from connecting to the terminal server.

Applying the Decision

Market Florist wants to use Terminal Services to manage all servers in the DMZ from the private network. To restrict access to Terminal Services to administrators only, configure Terminal Services to use Remote Administration mode at all computers in the DMZ. In addition, establish the packet filters shown in Table 14.27.

Table 14.27Terminal Services Packet Filters for Market Florist

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

RDP

10.10.10.0/24

Any

192.168.77.3

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.4

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.5

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.6

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.7

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.8

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.9

3389

TCP

Allow

RDP

10.10.10.0/24

Any

192.168.77.254

3389

TCP

Allow

The packet filters configured in Table 14.27 limit RDP access to the servers located in the DMZ from the private network (10.10.10.0/24). All other connections are implicitly denied.

NOTE

You don't need to establish a separate packet filter for the NLBS cluster IP address. Each node of the NLBS cluster service allows Terminal Services connections from the private network.

Securing VPN Traffic

When an organization wants its network to permit VPN traffic, they must consider how the protocol they use affects their firewall and network infrastructure design. Remember that L2TP and IPSec tunnel mode both use IPSec to provide encryption services to the tunnel. IPSec is unable to pass through a firewall that performs NAT on incoming and outgoing packets.

This section examines the design decisions you face when deploying PPTP, L2TP/IPSec, and IPSec tunnel mode servers in a DMZ.

Securing PPTP Tunnel Traffic

You don't have to take any special considerations into account when placing a PPTP tunnel server in your network. It doesn't matter if the external firewall performs NAT on incoming and outgoing packets. The only requirement is to place the tunnel server in the DMZ, as shown in Figure 14.19.

Figure 14.19Securing access to a PPTP tunnel server in the DMZ

To support the placement of the PPTP tunnel server in the DMZ, configure the external firewall to allow connections to the tunnel server using PPTP (TCP port 1723) and the Generic Routing Encapsulation (GRE) protocol (protocol ID 47). Table 14.28 lists the packet filters that you must establish at the external firewall to support the network shown in Figure 14.19.

Table 14.28PPTP Packet Filters at the External Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

PPTP

Any

Any

10.30.30.45

1723

TCP

Allow

GRE

Any

10.30.30.45

ID 47

Allow

The first packet filter allows PPTP connections from any computer on the public network to the PPTP Server (10.30.30.45). The second packet filter allows GRE packets, which are used by PPTP to encapsulate the original data packets, to pass through the external firewall to the PPTP server.

To protect the Active Directory database, you can deploy the PPTP server as a member of a workgroup rather than as a member of the domain. To support domain authentication, configure the tunnel server as a RADIUS client to a RADIUS server on the private network. To support this, configure the internal firewall to allow RADIUS authentication (UDP port 1812) packets and RADIUS accounting (UDP port 1813) packets to pass from the tunnel server to the RADIUS server on the private network. No additional encryption is required because the RADIUS protocol provides encryption services.

To support RADIUS authentication to a RADIUS server in the private network, configure the internal firewall with the packet filters listed in Table 14.29.

Table 14.29RADIUS Authentication Filters at the Internal Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

RADIUS Auth

10.10.10.45

Any

10.20.30.60

1812

UDP

Allow

RADIUS Accting

10.10.10.45

Any

10.20.30.60

1813

UDP

Allow

The first packet filter allows the PPTP server (10.10.10.45) to forward RADIUS authentication requests to the RADIUS server (10.20.30.60) on the private network. The second filter allows RADIUS accounting packets to be sent from the PPTP server to the RADIUS server for centralized collection of accounting information.

NOTE

An L2TP tunnel server uses the same filters to provide authentication to a remote access client. Once the data has entered the DMZ, authentication takes place in the same manner.

Securing L2TP/IPSec Tunnel Traffic

L2TP tunnel connections require that the tunnel server not be placed behind a firewall that performs NAT. You can modify the configuration of the DMZ to meet this requirement.

Figure 14.20 depicts the most basic configuration in which the DMZ uses public network addressing. Because the firewall doesn't perform NAT, you can place the L2TP tunnel server in the DMZ like a PPTP tunnel server.

Figure 14.20Securing access to an L2TP Tunnel server in the DMZ using public network addressing

Alternatively, you can establish a hybrid DMZ that consists of an outer DMZ and an inner DMZ, as shown in Figure 14.21.

Figure 14.21Securing access to an L2TP Tunnel server in the hybrid DMZ

In this configuration the outer DMZ uses public network addressing so that NAT isn't performed on any of the packets destined for the L2TP tunnel server. Once the packets reach the tunnel server and are decrypted, they can pass through the intermediate firewall that's performing NAT to the inner DMZ. The packets can also pass all the way to the private network through both the intermediate and internal firewalls.

Finally, Figure 14.22 shows an L2TP tunnel deployment where the L2TP tunnel server is parallel to the firewall at the public network boundary.

Figure 14.22Securing access to an L2TP perimeter server

In this configuration the L2TP tunnel server is a dual-homed server with the external network interface card (NIC) on the public network, and the internal NIC is attached to the DMZ.

IMPORTANT

To protect the external NIC, you must establish packet filters to allow only L2TP/IPSec connections. All other connection attempts must be denied.

The L2TP tunnel server is configured to use the NAT service included in Windows 2000 to translate private network addresses in the DMZ to public network addresses.

In each of these scenarios you must apply the packet filters in Table 14.30 at the external firewall to allow only L2TP/IPSec connections to pass through to the tunnel server. In the case of the L2TP perimeter server, you apply the packet filters to the L2TP perimeter server's external NIC.

Table 14.30L2TP/IPSec Filters at the External Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

IKE

Any

500

131.107.40.5

500

UDP

Allow

ESP

Any

131.107.40.5

ID 50

Allow

The first packet filter allows any remote client computer to negotiate an IPSec SA with the L2TP server (131.107.40.5). The second packet filter allows the remote client computer to exchange ESP-encrypted data with the L2TP server.

NOTE

Even though L2TP is defined to use UDP port 1701 for connections, the external firewall or external NIC of the L2TP perimeter server doesn't require a packet filter for this protocol. It's only after the transmission is accepted at the tunnel server that the L2TP packet is decrypted from the IPSec ESP packet. Only the IPSec ESP packet must be allowed to pass through the firewall.

Making the Decision

When configuring a firewall to allow access to an L2TP tunnel server located in the DMZ, consider the following:

Use public network addressing if the L2TP tunnel server is placed in the DMZ.

If the DMZ uses private network addressing as defined in RFC 1918, consider establishing an outer DMZ that uses public network addressing or configuring the L2TP server as a perimeter server with an interface on the public network to accept tunnel connections.

Configure the external firewall to pass the tunneling protocol used by the tunnel server in the DMZ. For PPTP, this requires that packet filters for PPTP (TCP port 1723) and GRE (protocol ID 47) be permitted to pass to the tunnel server. For L2TP, this requires the external firewall to allow IKE (UDP port 500) and ESP (protocol ID 50) packets to pass through to the tunnel server.

Configure the internal firewall to allow RADIUS authentication to a RADIUS server on the private network. RADIUS authentication provides domain logon capabilities for remote access when the tunnel server is located in a DMZ. Configure packet filters for RADIUS authentication (UDP port 1812) and RADIUS accounting (UDP port 1813) that allow RADIUS transmissions only from the tunnel server to the RADIUS server.

Applying the Decision

The MFTUNNEL server is assigned an IP address of 192.168.77.9, which is an RFC 1918–defined private network address. This address indicates that the firewall for Market Florist is using NAT to protect the private network IP addressing scheme. The only tunneling protocol supported in this network infrastructure is PPTP.

To meet all design objectives for the Market Florist remote access solution, configure the firewall to allow the MFTUNNEL server to pass RADIUS authentication and accounting packets to the Internet Authentication Services (IAS) server at IP address 10.10.10.200. Table 14.31 shows the packet filters that you must create at the firewall to allow the necessary traffic to pass.

Table 14.31Tunnel Packet Filters at the Market Florist Firewall

Protocol

Source IP

Source Port

Target IP

Target Port

Transport Protocol

Action

PPTP

Any

Any

192.168.77.9

1723

TCP

Allow

GRE

Any

192.168.77.9

ID 47

Allow

RADIUS Auth

192.168.77.9

Any

10.10.10.200

1812

UDP

Allow

RADIUS Accting

192.168.77.9

Any

10.10.10.200

1813

UDP

Allow

The first two filters allow remote clients to connect to the MFTUNNEL server (192.168.77.9) using only PPTP connections. Because the MFTUNNEL server is behind a firewall that performs NAT, you don't need to include packet filters for IPSec traffic. The last two filters allow RADIUS authentication and RADIUS accounting packets to be passed from the MFTUNNEL server to the RADIUS server (10.10.10.200) on the private network.

Lesson Summary

Creating packet filters at external and internal firewalls takes careful planning and design. After deciding on a firewall strategy, you must define the packet filters to fit your strategy. Packet filters must allow only authorized protocols to pass through the firewall. If additional protocols can pass through the firewall, you may be leaving your network vulnerable to an attacker.